ecommerce & online banking fraud issues, challenges & solutions
TRANSCRIPT
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 1
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 1
Ecommerce & Online Banking Fraudissues, challenges & solutions
Victor TalamoVP & Director Risk Management
JP Morgan Chase
Karim NooraliSr. Product Manager, PayPal
Marcelo CâmaraFebraban - Brazil
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 2
Financial Services Initiative:BITS Email Security Project
Victor Talamo
Director IT Risk Management
JPMorganChase
Member, BITS SRA Steering Committee
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 2
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 3
Agenda
Financial Services Industry Initiative to Advance Adoption of Email Security Standards
Project Goals and Problem Statement
Security Protocols and Recommendations
Best Practices
Timing/Next Steps
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 4
Background
Financial Services Industry Membership prioritized a project to advance the security of Email communications
Priority established by the Security and Risk Assessment (SRA) Steering Committee of BITS
Project arose in response to increases in spam, phishing and malicious code transmitted via email
Seven of the top ten phishing targets are BITS member companies
SRA Working Group Developed Email Security Paper over the past year, consulting with ISPs, Standards Bodies, Email Security Vendors
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 3
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 5
BITS Email Security Project Goals
Enhance the security and integrity of electronic communications
Reduce the amount of phishing and malicious code (e.g., Spyware)
Improve confidentiality and integrity of information exchange among financial institutions and between financial institutions and their customers and clients
Strengthen protection of customers and their accounts from identity theft and account fraud
Restore greater reliability of the email delivery channel for Financial Institutions
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 6
Problem Statement
Email is an insecure, but necessary, communication channel
Consumers lack confidence in the integrity of messages they receive via email
Regulations require financial institutions to use reasonable and appropriate measures to protect customer information
Proprietary solutions have many drawbacks, including incompatibilities, inefficiencies and scalability issues
Email Security Technology Standards exist, but are inconsistently adopted and implemented
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 4
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 7
BITS Recommended Technologies
Transport Layer Security (TLS)
Protects confidentiality and integrity as it authenticates servers and encrypts email messages between the servers
Sender Authentication (SIDF/SPF)
Provides a way for financial institutions, ISPs and others to identify the authorized mail servers for a particular domain and validate that mail originated from these authorized sources
Domain Key Identified Mail (DKIM)
Is a cryptographically based protocol that provides message header and body integrity verification mechanisms
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 8
Advantages of Recommended Technologies
Leverage open standards that are currently available and are being utilized today
Transparent to the end-user and not an inconvenience
Relatively low-cost both in terms of implementation cost and total cost of ownership
Fairly easy to implement
Scalable across both small and large multinational enterprises
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 5
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 9
Recommendation Summary
Transport Layer Security (TLS) – Opportunistic Mode
Sender Authentication – Validate Incoming Email
Publish SPF Records (email and non-email domains)
Publish SPF Records as Hard Fail
Utilize Delegated Sub-domains for Third Party Mailings
Enforced TLS
Publish DomainKeys and Policy Records
Sign DomainKeys
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 10
Recommendations for Email Protocols
Encourage BITS members to implement each of the
recommended technologies in accordance with Guidelines
for implementation. Each protocol addresses a particular
problem. In combination, provides layered security
Promote awareness of email security concerns among
financial institutions, clients, consumers, Internet Service
Providers and Mail Service Providers
Encourage BITS members to engage their service providers
and encourage them to implement the recommended
technologies
Encourage BITS members to add email security
requirements to contracts with business partners and
service providers
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 6
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 11
Other Best PracticesUser Validation Controls
Anti-Spoofing Controls
Mail Relay Controls
DNS Lookups
Anti-Spam and Reputation
Malicious-code Defense in Depth
Malicious-code Technology Diversity
Attachment Filters
Inappropriate Word and Phrase Filters
Data Leakage Filters
Disclaimers
Governance
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 12
Next Steps
BITS Email Security Toolkit recommendations presented to CEOs for endorsement end of April 2007
BITS Email Security Toolkit may be downloaded from bitsinfo.org
Communications and awareness
Obtain BITS member technical contact information essential for the efficient adoption of the security protocols
Periodic checkpoint on adoption
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 7
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 13
Summary
The BITS Email Security initiative will bring greater focus to the advancement of Email Security, enabling message confidentiality, authentication and integrity controls
For maximum effectiveness, these solutions require adoption by a critical mass of institutions
Impact is broader than Financial Institutions (Service Providers and Business Partners)
Do your part by supporting adoption of TLS, SIDF/SPF and DKIM protocols
As a critical mass is reached, there will be more pressure on non-adopters
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 14
Resources & Contact Info
www.bitsinfo.org
www.fsround.org
Victor Talamo, Director IT Risk Management
John Carlson, Executive Director, BITS
John Ingold, Director, BITS
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 8
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 15
Fraud at PayPalOverview and current trend
Karim Noorali
Sr. Product Manager, PayPal
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 16
Agenda
What is PayPal
Why PayPal is a target
Fraud globalization
Multi-angle approach
Law enforcement success
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 9
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 17
What is PayPalFounded in 1998, PayPal a global online payment co.
133+ million accounts in 103 countries.
$37.8 billion in total payment volume in 2006.
$1,384 transacted on average every second in Q4 2006.
Enables the most popular worldwide payment types.
Visa and MasterCard (103 countries), American Express, Discover, Visa Electron, UK Switch and Solo, German EC and giropay, Italian PostePay, bank direct debit (5 countries), PayPal balance
17 currencies
14 local language websites
Multiple channels: eBay, merchant website, email, mobile, phone, Skype
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 18
What is PayPal
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 10
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 19
Why PayPal is a target
Card companiesBanks
133+ million accounts in 103 countries.
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 20
Fraud GlobalizationRussia
IP Address from Russia runs script against site to validate email addresses
Fraudster’s list of
email addresses
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 11
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 21
Fraud GlobalizationRussia Romania
Script drops valid email accounts to Romanian ISP email address
Fraudster’s list of
email addressesRomanian ISP
Drop Box
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 22
Individual in Pakistan hired to set up multiple spoof sites in China, Mongolia, US, Korea
Fraud GlobalizationRussia Romania Pakistan
IRC
Skype
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 12
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 23
Fraud GlobalizationThe rest…
Global bot net fires off phishing emails
Victim information collected in Russian ISP drop box
Information sold to U.S., U.K., DE
Accounts taken over
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 24
Multi-angle approach
Spoofer sets-up a
site & sends email
Service provider
delivers email
Victim
responds to
Spoofer logs in
to victim's
account
Spoofer sends
$$ out of user
account
Spoofer
successfully
withdraws $$
Cost per
Incident
Time
Partner with hosting services to remove phishing sites when we report them
Partner with hosting services on spiders to crawl and remove phishing sites
Contract with companies that monitor domain registrations to get alerts
when sites are registered
Promote strong domain registration recordkeeping
Implementing SPF, SenderID & Domain Key signing of legitimate
emails (and encouraging email providers to block all others)
SPOOF LIFE CYCLE
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 13
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 25
Multi-angle approach
Educate our users aggressively – Security Centre, Safety Guides,
transaction messaging & outreach campaigns
Use My Messages for eBay member communications
Encourage use of [email protected] for user reporting
Share spoof URLs we identify with leading ISPs and toolbar providers
Partner with browser companies to integrate safe browser technology
SPOOF LIFE CYCLE
Spoofer sets-up a
site & sends email
Service provider
delivers email
Victim
responds to
Spoofer logs in
to victim's
account
Spoofer sends
$$ out of user
account
Spoofer
successfully
withdraws $$
Cost per
Incident
Time
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 26
Multi-angle approach
Transaction spoof model scores risk on every transaction
Implementing second factor authentication – PayPal Security Key
Participate in industry coalitions such as Anti-Phishing Working
Group to share data on perpetrator techniques
SPOOF LIFE CYCLE
Spoofer sets-up a
site & sends email
Service provider
delivers email
Victim
responds to
Spoofer logs in
to victim's
account
Spoofer sends
$$ out of user
account
Spoofer
successfully
withdraws $$
Cost per
Incident
Time
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 14
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 27
Multi-angle approach
Fraud Investigations Team proactively refers cases to law
enforcement & trains law enforcement agencies around the world on
how to work these cases
Provide 100% reimbursement to phished users for their losses from
spoof (in addition to buyer protection and pass-through credit card
chargeback rights)
SPOOF LIFE CYCLE
Spoofer sets-up a
site & sends email
Service provider
delivers email
Victim
responds to
Spoofer logs in
to victim's
account
Spoofer sends
$$ out of user
account
Spoofer
successfully
withdraws $$
Cost per
Incident
Time
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 28
Law enforcement success
In good month –
3.5 people arrested per day in partnership with eBay Fraud Investigations Team
1.5/day in US
2.4/day in a slow month
4 year sentence to fraudulent gold coin seller
8 year sentence for another fraudulent seller
16 year sentence for yet another one
Working with Law Enforcement is effective!
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 15
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 29
How Brazilian Banks Have Done It?
Marcelo Câmara
Febraban - Brazil
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 30
Agenda
Brazilian picture of online fraud
What has been done:
Technology
Education
Contention
The factors of success
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 16
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 31
Success on a Curve
2003
ValueQuantityAverage
2004 2005 2006
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 32
Settings
Brazilian Hackers work “34 x 7”
“There are 34 new Brazilian Malware every 7 hours.”
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 17
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 33
Settings
Population: ~190 million
Highly Developed Financial System
Technologically Advanced Banks
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 34
Brazilian Approach
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 18
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 35
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 36
Technology - The Security Race
2003 2004 2005 2006
Pharming
Keyloggers
Key & Screenloggers
Phishing with forms
Fake Browser
Pop up Phishing
Pop up Phishing + Plugin Disabler
BHO Malware
Clickless Infection
For Export Malware
DNS Monitor
Virtual Keyboards
Protection Plugins
OTP Tokens
Bingo Cards
Machine Registration
Behavior Monitoring
Protection Plugins 2.0
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 19
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 37
Technology - The Security Race
2007
Man in the Middle
Anti-Reverse Engineering Crimeware
Transaction Signing
Robot in the Middle
More Powerfull Tools (?!?!)
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 38
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 20
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 39
Phishing - Online shoppingEducation – Phishing Examples
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 40
Phishing - updates, patches, etc.
Education – Phishing Examples
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 21
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 41
Phishing – Social Networking Sites
Education – Phishing Examples
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 42
Phishing - Warnings from Government
Education – Phishing Examples
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 22
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 43
Phishing - Songs to listen/download
Education – Phishing Examples
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 44
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 23
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 45
Contention – Reality Shown
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 46
Contention – Reality Shown
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 24
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 47
Contention – Reality Shown
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 48
Contention – Reality Shown
© 2007 Authentication & Online Trust Alliance. All rights reserved. This presentation is for informational purposes only. AOTA Inc,
makes no warranties, express or implied, in this summary. 25
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 49
Summary – Call to Action
2nd Factor Authentication
Behavior Monitoring
Protection Plugins
Inform
Inform
Inform
Provide help to law enforcement
© 2007 Authentication & Online Trust Alliance. All rights reserved. Slide 50
Contact Info
www.Febraban.org.br
Marcelo Câmara
+55 11 3684-4251